Mac Lockdown

In 2010, the NSA published a guide for hardening a Mac running Snow Leopard. However, the agency hasn’t updated its guide for current versions of MacOS. Macworld posted an excellent guide that should cover modern versions of Apple’s OS.

Admin vs. Standard Accounts

The two most popular ways hackers compromise your devices are through email and websites. When you’re browsing the web, make sure you do so using a standard account. Standard accounts have fewer privileges than admin accounts, making it harder for hackers to use your computer against you.

To make a standard account, go to System Preferences > Users & Groups. On the bottom left, click the “+” sign to get started.

Creating a Standard Account

Update Everything

One of the most important things you can do to keep your devices secure is always to update it to the latest version. Virtually every update, no matter the platform, fixes bugs and other vulnerabilities that the software engineers find.

Go to System Preferences > App Store and make sure that your Mac downloads updates automatically.

Staying Updated

Lock Down Account Settings

Going back to System Preferences > Users & Groups, you’ll want to lock down the following options.

Disable Automatic Login and User Lists

Although slightly inconvenient, especially since Apple added the ability to have your Apple Watch automatically log you in, it’s still a good thing to disable. Open the Login Options under Users & Groups and turn off Automatic Login. Next, make sure the Display login window asName and password.

This makes sure that anyone trying to log into your Mac needs to know your username in addition to your password.

Login Options

Disable Password Hints

Stay in the Login Options section and make sure that you disable password hints, or write something nonsensical that doesn’t have anything to do with your password.

Disable Guest Accounts And Sharing

While we’re at it, you should also disable guest accounts. Uncheck the options for Allow guests to log into this computer, as well as Allow guests to connect to shared folders. If you share your computer with your family or your friends regularly access your computer, you can enable parental controls for the guest account. Click Open Parental Controls and check the box next to Limit Applications.

Make sure that the only app guests can use is the web browser, or maybe a few more.

Disable Apple ID Password Reset

Go back into Users & Groups and uncheck the box next to Allow user to reset the password using Apple ID. Do this for every account. In case a hacker compromises your Apple ID, they won’t be able to reset and change your Mac’s password.

Note: I couldn’t find this setting on my MacBook running MacOS Sierra, so it’s possible Apple either removed this option or put it in a different area of System Preferences.

Security & Privacy

Next, we’re heading into System Preferences > Security & Privacy. Under the General tab, check Require password after sleep or screen saver begins. Set to immediately. Then, click the Advanced button and check Require an administrator password to access system-wide preferences.

Security & Privacy

Admin Password

FileVault

The first thing you should do when buying a new computer is to enable encryption. Thankfully, Apple added turning on encryption as part of its start-up options. If you haven’t already, it’s advisable to turn it on. While we’re still in Security & Privacy, click on the FileVault tab. It will take a while for your Mac to encrypt itself—up to an hour or more in some cases. You’ll need to keep it plugged into a power outlet too.

FileVault Encryption

During setup, you’ll have to write down the recovery key that it generates for you. It’s vital that you write it down and store it in a safe place, even if it’s in a password manager. If you forget your password, you can use the recovery key to log in. But if you forget both the password and recovery key, it will be impossible to log back in.

Make sure to check the box next to Do not store the recovery key with Apple. Although Apple can’t access your key without your answers to the security questions, it’s possible for hackers to try and guess. Finally, click Restart on the last screen, and the process begins. You can still use your Mac while it’s encrypting.

Firewall

Click on the Firewall tab and make sure you turn it on. Open Firewall Options and check Block all incoming connections, as well as Enable stealth mode. Uncheck the box next to Automatically allow signed software to receive incoming connections.

Keep in mind that blocking all incoming connections will break all sharing services, like iTunes sharing and such. But the NSA trusts no one, and we’re trying to emulate them.

MacBook Firewall

Privacy

Finally, under the Privacy tab, open Location Services and uncheck the Enable Location Services box. Next, open Diagnostics & Usage and uncheck Send diagnostic and usage data to Apple. Again, sending diagnostic data is genuinely useful to Apple and developers, but not if we’re NSA. For regular, non-paranoid people, it’s okay if you leave these on. Turning off location services will make it hard to use Maps, Weather, Calendar, etc.

Macbook Privacy

iCloud

Syncing to iCloud isn’t too much of a security risk. However, you’ll want to disable Back to My Mac and Find My Mac. This ensures that hackers can’t gain remote access or wipe your Mac in case they hack your Apple ID. To do this, go to System Preferences > iCloud. Scroll down to the bottom and uncheck the two boxes.

iCloud Preferences

Firmware Password

Setting a firmware password means that a hacker needs to crack one more password to break into your Mac. To set one up, restart your Mac. As it reboots, hold down Command + R to boot into the recovery partition. Select Utilities > Firmware Password Utility and create a password. You’ll need this password to boot into recovery mode or from an external hard drive.

Firmware Password

Wi-Fi

Go into your Wi-Fi settings and make sure that Remember networks this computer has joined is turned off. This prevents your Mac from looking for public networks and possibly leaking information. Go to System Preferences > Network > Advanced and uncheck the specified box.

Network Preferences

Other Services

This is the difficult part of the guide because it will alter your Mac’s functionality.

Disable iSight

Some people put tape over their webcam, and others disable it with an AppleScript. Go to GitHub and download the iSight Disabler. It lets you easily enable/disable your Mac’s webcam to prevent people from spying on you.

iSight Disabler

Setuid and Setgid

The seguid function sets users IDs, while the setgid function sets group IDs. A hacker could use either of these to gain elevated control with administrative privileges. Messing with these binaries will alter your Mac’s functionality. It’s only recommended for advanced users. Open Terminal and type in the following commands:

sudo find / -perm -04000 -ls
sudo find / -perm -02000 -ls

These commands give you a big list of apps. Not all of these apps need root, wheel or admin permissions. Since you’re using your Mac as a standard user, changing these might break apps you use. You can, however, change them back.

Disable Bluetooth

You’ll want to disable Bluetooth to prevent various wireless hacks. Go to System Preferences > Bluetooth to turn it off. If you rely on AirDrop or use a Bluetooth keyboard and mouse, you’ll obviously want to keep it on.

Bluetooth

Safari

Go to Safari > Preferences and uncheck the box next to Open safe files after downloading. Then, click on the Security tab and uncheck Enable JavaScript and Allow Plug-Ins.

Disable Open Safe Files

Disable JavaScript and Plug-Ins

Conclusion

Congratulations! You’ve now secured your MacOS device like an NSA agent. Your Mac is safe, and you should have gained a greater appreciation of the dangers on the web. You can find our other guides, like creating a secure password and using secure apps.